CVE-2022-21722

NameCVE-2022-21722
DescriptionPJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2962-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)stretch1:13.14.1~dfsg-2+deb9u4fixed
stretch (security)1:13.14.1~dfsg-2+deb9u6fixed
buster1:16.2.1~dfsg-1+deb10u2vulnerable
bullseye1:16.16.1~dfsg-1vulnerable
bullseye (security)1:16.16.1~dfsg-1+deb11u1vulnerable
bookworm, sid1:18.12.0~dfsg+~cs6.12.40431413-1vulnerable
pjproject (PTS)stretch2.5.5~dfsg-6+deb9u1vulnerable
stretch (security)2.5.5~dfsg-6+deb9u4fixed
ring (PTS)stretch20161221.2.7bd7d91~dfsg1-1vulnerable
stretch (security)20161221.2.7bd7d91~dfsg1-1+deb9u1vulnerable
buster20190215.1.f152c98~ds1-1+deb10u1vulnerable
sid, bullseye20210112.2.b757bac~ds1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcestretch(not affected)
asterisksource(unstable)(unfixed)
pjprojectsourcestretch2.5.5~dfsg-6+deb9u3DLA-2962-1
pjprojectsource(unstable)(unfixed)
ringsource(unstable)(unfixed)

Notes

[stretch] - asterisk <not-affected> (Vulnerable code not present)
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a

Search for package or bug name: Reporting problems